Web Spoofing Steve Newell • Mike Falcon Computer Security • CIS 4360
Jan 02, 2016
Web SpoofingIntroduction
“Phishing”
• Is a form of identity theft in which deception is used to trick
a user into revealing confidential information that has
economic value.
Web SpoofingIntroduction
Definition
• Website spoofing is the act of creating a website, as a hoax, with the intention of misleading readers that the website has
been created by a different person or organization.
• Web spoofing is a phishing scheme
Web Spoofing
• The Gartner group estimates the direct phishing-related loss to US banks and credit card issuers in the last year to be $1.2 billion.
Statistic
• Indirect losses are much higher, including customer service expenses and account replacement costs.
Web Spoofing
The goal of phishing is to deceive the user via the following ways:
• Deceiving a user into believing a message comes from a trusted source.
• Deceiving a user into believing that a web site is a trusted institution.
• Deceiving a spam filter to classify a phishing email is legitimate.
Phishing Technologies
Web Spoofing
Deceptive return address information- Attempts to appear as a trusted source
Fraudulent request for action- Prompts user to provide information.
Deceptive appearance
- Mimics visual target site
Deception
Web Spoofing
• Misleadingly named http://security.commerceflow.com will lead to http://phisher.com
• RedirectedIf the targeted company has an “open redirect”, then this can be used to redirect a legitimate URL to a phishing site.
Deceptive Links
Web Spoofing
• Obfuscated Using encoded characters to hide the destination address of a link. “abc” = "abc”
• Programmatically ObscuredUsing a scripting language such as Javascript to hide the destination of a link address. For example, using the mouse-over function.
Deceptive Links
Web Spoofing
Not possible to determine whether a connection to a site is secure by
looking at a lock icon in a browser:
• A lock icon by itself means only that the site has a certificate
• It is possible to get a browser to display a lock icon using a self-signed certificate
• A lock icon may be overlaid on top of the browser using the same technologies used to fake the URL bar
Deceptive Location
Web Spoofing
1. A deceptive message is sent from the phisher to the user.
2. A user provides confidential information to a phishing server (normally after some interaction with the server).
3. The phisher obtains the confidential information from the server.
4. The confidential information is used to impersonate the user.
5. The phisher obtains illicit monetary gain.
Information Flow Model
Web Spoofing
Preventing phishing attacks: The average phishing site stays active no more
than 54 hours
• Pre-emptive domain registration
• “Holding period” for new domain registrations
• E-mail authentication could prevent forged or misleading email return addresses.
Prevention
Web SpoofingDefenses
Open Information – Allow different spam filters, e-mail clients, and browsers to exchange information about unsafe domains.
Warn The User – Alert the user when they attempt to click on an obfuscated link. Show the user the actual link, whether the site is trusted or not, and prompt the user whether or not the wish to continue with the link.
Defenses Against Early User Actions
Web Spoofing
Disrupting Data Transmission• Monitor Outgoing Data –
Implement a browser tool-bar that hashes information and checks if confidential information is being sent.
• Blacklisting – Block IP ranges of known phishing sites.
• Encryption – Encrypt sensitive information before transmission.
Defenses
Web SpoofingDefenses
Advanced Authentication
– Two-factor Authentication – Require proof of two out of three criteria (what you are, what you have, or what you know)
–Requires some sort of hardware or time sensitive information
–Use a checksum to verify that the information came from the users machine and not a phisher.
Web SpoofingCross-site Scripting
Cross-site scripting is inserting a malicious script inside a secure domain.
– A phisher could insert a malicious script inside of an auction or a product review to attack the user.
– The script would modify the host site so that the user believes he/she is interacting with the secure site.
– Difficult to write sufficient filter to remove cross-site scripting. How do you know if a script is malicious?
– Cross-site scripting could be hindered by introducing a <noscript> tag on user supplied content.
Web SpoofingExamples
Example 1http://www.msfirefox.com/http://www.msfirefox.net/
Example 2Florida Commerce Credit Union
Example 3Thomas Scott’s Parody
Unofficial siteOfficial site
Web Spoofing
• Current technology is unable to completely stop phishing and web spoofing.
• Improvements in security technology can drastically reduce the amount of phishing schemes.
Conclusion
Web Spoofing
Documentary Footage
Identity theft victims
Don’t let this happen to you.
Videos